Insights, news, education and announcements from PolySwarm

VajraSpy Android Spyware

Written by The Hivemind | Feb 20, 2024 5:02:15 PM

Executive Summary

VajraSpy is a RAT used by the Patchwork APT group to target Android users. The threat actors used twelve trojanized Android apps to deliver the malware. 

Key Takeaways

  • VajraSpy is a RAT used by the Patchwork APT group to target Android users.
  • The threat actors used twelve trojanized Android apps to deliver the malware. 
  • The apps were installed over 1400 times, and some are still available on unofficial app repositories. 
  • The threat actors likely used a honeytrap romance scam to trick victims into installing the malware. 
  • Patchwork is an India nexus APT group known to engage in espionage operations. 

What is VajraSpy?

VajraSpy is a RAT used by the Patchwork APT group to target Android users. The victims were primarily located in Pakistan, with some victims located in India. ESET’s WeLiveSecurity recently reported on this activity. 

ESET researchers discovered twelve Android espionage apps sharing the same malicious code. Six of these were on the Google Play store. All but one of the malicious apps masqueraded as a messaging tool, and the remaining app masqueraded as a news app. The affected apps include Privee Talk, YohooTalk, TikTalk, MeetMe, Let’s Chat, Quick Chat, Rafaqat, Chit Chat, Hello Chat, GlowChat, Nidus, and Wave Chat.

The apps covertly installed VajraSpy, a RAT, on the victim’s device. The apps were installed over 1400 times, and some are still available on unofficial app repositories. ESET researchers noted the threat actors likely used a honeytrap romance scam to trick victims into installing the malware. 

VajraSpy has multiple capabilities, including stealing and exfiltrating contacts, files, call logs, device location, SMS messages, and WhatsApp and Signal messages. It can also record phone calls and take photos with the device’s camera. According to ESET, the threat actors used Firebase Hosting for C2. 

ESET noted there were three different groups of trojanized apps. The first group included trojanized messaging apps with basic malicious functionality. 

The second group included trojanized messaging apps with advanced functionality. In addition to basic malicious functions, the second group was also capable of exploiting built-in accessibility options to intercept WhatsApp and Signal messages and notifications. One of these apps, Wave Chat, also included the options to record phone calls, record messaging app calls, log keystrokes, take photos, record audio, and scan for WiFi networks. 

The third group of applications included the one non-messaging application, Rafaqat, which was a news app. This app had the most limited malicious capabilities of the three groups. It can only intercept notifications and exfiltrate contacts and certain file types. 

Who is Patchwork?

Patchwork, also known as Hangover Group, Dropping Elephant, Chinastrats, MONSOON, Sarit, Quilted Tiger, APT-C-09, ZINC EMERSON, and Operation Hangover, is an India nexus APT group known to engage in espionage operations. The group has been active since at least 2015. 

Patchwork is known to target diplomatic and government entities, including entities in Pakistan, China, Sri Lanka, Uruguay, Bangladesh, Taiwan, Australia, and the US. Some of their victims have included Pakistan's Ministry of Defense, National Defence University of Islamabad, Faculty of Bio-Sciences at UVAS Lahore, International Center for Chemical and Biological Sciences (ICCBS), H.E.J. Research Institute of Chemistry, Salim Habib University (SBU), and US think tanks.

Patchwork TTPs include but are not limited to spearphishing, RDP for lateral movement, watering hole attacks, AutoIt backdoor, BackConfig, BADNEWS, NDiskMonitor, PowerSploit, QasarRAT, and TINYTYPHON.

While Patchwork is considered an advanced persistent threat, they have made mistakes in the past. In late 2021, the threat actors accidentally infected some of their own machines with BADNEWS RAT. This mistake allowed industry researchers to obtain keystrokes and screenshots from the threat actor group’s own systems. 

IOCs

PolySwarm has multiple samples of VajraSpy.

 

64b2a100e8ca305d7362eeb4858694156d676989b8c6d6d8d01cdebe84dafc7b

9115408ab7227f30cb6d3f785c208377b31da208171def1c3ec4d81c6f833585

Ba9aeb87025ba26e7a54fe38f97bf28b72b1dac069e9fa6624a195a599c4b0ae

C06f8c3fd23ae7124cc06eb63c0411418715bf99d3c9fa66525790b2b4c61858

C547fc04afad7538be1c638019867145dabf630afc2eba1ece7f972892598a65

2fdb7c4430660cb49547ac2828a631810d4e3d245a6501ce00825faa169cb7d0

 

You can use the following CLI command to search for all VajraSpy samples in our portal:

$ polyswarm link list -f VajraSpy


Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at
 hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.